Authentication setup for ABAP SDK for Google Cloud

This document describes how to authenticate to Google Cloud from the ABAP SDK for Google Cloud.

Applications developed using the ABAP SDK for Google Cloud require authentication to connect to Google Cloud APIs. The SDK enables the usage of Google Cloud recommended best practices for authentication.

For authentication and authorization to access Google Cloud APIs, the SDK mainly uses tokens. To access Google Workspace APIs, you can use OAuth 2.0 client credentials. OAuth 2.0 client credentials let you retrieve a token in the context of an end user, such as a token required to access Google Sheets. To use OAuth 2.0 client credentials, your SAP system must support OAuth 2.0.

In addition, the SDK also supports API keys to authenticate to Google Cloud APIs that use API keys, such as Address Validation API.

Depending on the Google Cloud APIs that you need to access and the security requirements of your host SAP system, you can choose an appropriate method of authentication. The following list summarizes different methods of authentication supported by the SDK:

Authenticate to Google Cloud APIs using tokens

Authenticate to Google Workspace APIs using OAuth 2.0 client credentials

Authenticate to Google Cloud APIs using API keys

Authenticate using tokens for SAP on Compute Engine VM

This section shows how to set up authentication to access Google Cloud APIs using tokens when your SAP system is hosted on a Compute Engine VM instance.

  1. In the Google Cloud console, enable the IAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.

    Go to API library

    For information about how to enable Google Cloud APIs, see Enabling APIs.

  2. In the Google Cloud console, create an IAM service account for authentication and authorization to access Google Cloud APIs.

    Go to Service accounts

    For information about how to create a service account, see Create a service account.

  3. Attach the service account to the VM instance where your SAP workload is running. When you attach the service account to your VM instance, the Google Cloud access scope cloud-platform is automatically set on the VM instance. Make sure that you've granted the Service Account Token Creator role to the service account. For more information, see Set up Google Cloud security.

    If you have multiple VM instances for the same SAP installation, then you must complete this step on all those VM instances.

  4. In the Google Cloud console, grant the service account the required IAM roles to access the API functionality. To understand the role requirement for APIs, see the individual API documentation and follow the principle of least privilege. For example, to understand the role requirement for the Pub/Sub API, see Access control for Pub/Sub.

  5. If you created the service account in a different project than the project that contains the Google Cloud APIs, then you must perform additional steps for the service account setup. For more information, see Set up service accounts in a cross-project environment.

  6. In the SAP system, configure the client key:

    1. In the SAP GUI, enter transaction code SPRO.

    2. Click SAP Reference IMG.

    3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

    4. Click New Entries.

    5. Enter values for the following fields:

      Field Description
      Google Cloud Key Name Specify a name of the client key configuration. For example, TEST_PUBSUB.
      Google Cloud Service Account Name Specify the name of the service account. For example, sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.
      Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
      Google Cloud Project Identifier Specify the ID of the Google Cloud project that contains your target APIs.
      Command name Leave this field blank.
      Authorization Class Specify the authorization class, /GOOG/CL_AUTH_GOOGLE.
      Token Caching

      The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.

      We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
      Token Refresh Seconds The amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
      Authorization Parameter 1 Leave this field blank.
      Authorization Parameter 2 Leave this field blank.

    6. Save the new entry.

  7. Recommended: In the SAP system, create new RFC destinations for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

    For information about creating RFC destinations, see RFC destinations.

  8. In the SAP system, configure the service mapping table for IAM API, and other APIs that you plan to consume using the ABAP SDK for Google Cloud.

    1. In the SAP GUI, enter transaction code SPRO.

    2. Click SAP Reference IMG.

    3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

    4. Click New Entries.

    5. Specify RFC destinations for IAM API and other APIs, for example, Pub/Sub API v1.

      Google Cloud Key Name Google Cloud Service Name RFC Destination
      Client key name iamcredentials.googleapis.com GOOG_IAMCREDENTIALS
      Client key name pubsub:v1 RFC_PUBSUB_V1

    6. Save the new entry.

  9. In the SAP system, validate the authentication configuration. For more information, see Validate authentication configuration.

Set up service accounts in a cross-project environment

The host VM of your SAP system, which contains the SDK, can be in a different Google Cloud project than the one with the Google Cloud APIs enabled. In this case, you must set up service accounts with the required IAM roles so that the SDK can access the APIs from the different project.

The following table shows an example of service account setup for cross-project API access.

Environment SAP host VM Google Cloud APIs
Google Cloud project project-sap-host

 project-google-apis
Service account assigned to the SAP host VM sa-sap-host@project-sap-host.iam.gserviceaccount.com N/A
Service account for accessing Google Cloud APIs sa-google-apis@project-sap-host.iam.gserviceaccount.com N/A
IAM roles for the service account In the project project-sap-host, grant the service account sa-sap-host@project-sap-host.iam.gserviceaccount.com Service Account Token Creator role. In the project project-google-apis, add the service account sa-google-apis@project-sap-host.iam.gserviceaccount.com as a principle and grant the service account appropriate roles to connect to the Google Cloud APIs.

To set up the service accounts, perform the following steps:

  1. In the Google Cloud project that contains your SAP host VM, grant the service account of the SAP host VM, the Service Account Token Creator role. For more information about the steps, see Grant a single role.
  2. In the Google Cloud project that contains your SAP host VM, create a service account. Note the name of the service account. You specify this name when you add the service account as a principle to the other project that contains the Google Cloud APIs.

  3. In the other project that contains the Google Cloud APIs, add the service account as a principle and grant appropriate roles to connect to the Google Cloud APIs.To add a service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:

    1. In the Google Cloud console, go to the IAM Permissions page:

      Go to IAM permissions

    2. Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:

      Permissions for project "PROJECT_NAME"

      If it is not, then switch projects.

    3. On the IAM page, click Grant access. The Grant access to "PROJECT_NAME" dialog opens.

    4. In the New principals field, specify the name of the service account.

    5. In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (roles/pubsub.editor).

      For more information about API specific predefined roles, see IAM basic and predefined roles reference.

    6. Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.

    7. Click Save. The service account appears in the list of project principals on the IAM page.

Authenticate using tokens for SAP hosted outside Google Cloud

This section shows how to set up authentication to access Google Cloud APIs using token when your SAP system is running on a host that is on premises, on another cloud provider, or in another environment outside of Google Cloud.

For authentication to Google Cloud, you use Google Cloud signed JSON Web Tokens (JWT) to obtain access tokens from Google Cloud.

The high-level configuration steps are as follows:

Create a service account for JWT based token retrieval

For JWT based authentication to Google Cloud, ABAP SDK for Google Cloud needs an IAM service account.

Create a service account

In the Google Cloud console, create an IAM service account for JWT based token retrieval, and grant the service account the Service Account Token Creator

Go to Service accounts

For information about how to create a service account, see Create a service account.

Create a service account key

You need to create a P12 service account key for the service account used for JWT based token retrieval.

To create a service account key, perform the following steps:

  1. In the Google Cloud console, go to the IAM & Admin Service accounts page.

    Go to Service accounts

  2. Select your Google Cloud project.

  3. Click the email address of the service account that you created for JWT based token retrieval in the previous section, Create a service account.

  4. Under the service account name, click the Keys tab.

  5. Click the Add Key drop-down menu, and then select Create new key to create a service account key.

  6. Accept P12 as the key type and click Create.

    A private key is downloaded to your computer.

  7. Make a note of the password for the private key file, notasecret.

    Provide the private key and password to your SAP administrator to import the private key into STRUST, as described in Import the service account key into STRUST.

Enable JWT signing for the service account on the SAP host system

To enable JWT signing for the service account that you created for JWT based token retrieval, you need to configure the client key JWT_SERVC_ACCT.

To enable JWT signing for a service account, perform the following steps:

  1. In the SAP GUI, enter code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

  4. Click New Entries.

  5. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify JWT_SERVC_ACCT.
    Google Cloud Service Account Name Specify the name of the service account for JWT based token retrieval. For example, sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.
    Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
    Google Cloud Project Identifier Specify the ID of the Google Cloud project that contains your target APIs.
    Command name Leave this field blank.
    Authorization Class Specify the authorization class, /GOOG/CL_AUTH_JWT.
    Token Caching

    The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.

    We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
    Token Refresh Seconds The amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
    Authorization Parameter 1 Leave this field blank.
    Authorization Parameter 2 Leave this field blank.

  6. Save the new entry.

Configure security settings for Google Cloud on the SAP host system

To enable JWT signing for the service account that you created for JWT based token retrieval, you need to configure security settings for Google Cloud on the SAP host system.

Create a new Secure Store and Forward (SSF) Application

In the table SSFAPPLIC, create a new entry with the name ZG_JWT by using transaction SE16.

To create a new entry in the table SSFAPPLIC, perform the following steps:

  1. In the SAP GUI, enter transaction code SE16.
  2. In the Table Name field, enter SSFAPPLIC, and create a new entry.
  3. For the APPLIC field, enter ZG_JWT.
  4. Except the B_INCCERTS, B_DETACHED, B_ASKPWD, and B_DISTRIB fields, select all other fields.
  5. In the DESCRIPT field, enter JWT Signature for GCP.

  6. Save the new entry.

    This entry becomes a new node in transaction STRUST, where you import the service account key.

Enable the STRUST node

Use transaction SSFA to enable the STRUST node for JWT Signature for GCP.

To enable the STRUST node, perform the following steps:

  1. In the SAP GUI, enter transaction code SSFA.
  2. Click New Entries.

  3. In the SSF Application drop-down list, select JWT Signature for GCP. This is the new entry that you created in the table SSFAPPLIC.

    The application specific SSF parameters are automatically populated.

  4. Save the new entry.

    A new node SSF JWT Signature for GCP is enabled in transaction STRUST.

Import the service account key into STRUST

To import the service account key into STRUST, perform the following steps:

  1. In the SAP GUI, enter transaction code STRUST.

    Verify the new node in transaction STRUST is SSF JWT Signature for GCP.

  2. Import the private key file:

    1. Select PSE > Import from the menu bar.
    2. Depending on your SAP system, select the appropriate private key:
      • SAP S/4HANA
        1. Select the P12 private key.
        2. Enter the file password notasecret, and then click OK.
      • SAP ECC
        1. Select the PSE private key. You need to convert the P12 private key that you downloaded earlier into a PSE private key. For more information about converting a P12 key into a PSE key, see Convert P12 key into PSE key.
        2. Enter the file PIN that you created during the private key conversion from P12 key to PSE key, and then click OK.

  3. Select PSE > Save as.

  4. Select SSF Application, and in the corresponding input field, select the new SSF Application node that you created in Create a new Secure Store and Forward (SSF) Application.

  5. Save the new entry.

    The service key is attached to the SSF application node SSF JWT Signature for GCP.

Convert the P12 private key into PSE key

If your SAP system is SAP NetWeaver 7.0x (SAP ECC), then you need to convert the P12 key into a PSE key.

To convert the P12 key into a PSE key, perform the following steps:

  1. Go to the path: 

    /usr/sap/SID/SYS/exe/run/

    Replace SID with the SAP system ID.

  2. Run the following command after replacing the placeholders: 

    sapgenpse import_p12 -p PSE_PATH_AND_FILE_NAME P12_PATH_AND_FILE_NAME.p12

    Replace the following:

    • PSE_PATH_AND_FILE_NAME: specify the path and file name for the PSE file
    • P12_PATH_AND_FILE_NAME: specify the path and file name for the P12 key file

  3. Enter the password of P12 private key file, notasecret.

  4. Create a new PIN for the PSE private key and re-enter your PIN.

  5. Make a note of the PIN, you need to provide this PIN when importing the PSE private key file into STRUST.

For information from SAP about about how to convert a P12 key into a PSE key, see:

Enable the Google Cloud APIs

In the Google Cloud console, enable theIAM Service Account Credentials API for your Google Cloud project that requires authentication. Along with the IAM Service Account Credentials API, you need to enable any other supported APIs that you plan to access using the SDK.

Go to API library

For information about how to enable Google Cloud APIs, see Enabling APIs.

Create a service account for authorization to access Google Cloud APIs

For authentication and authorization to access Google Cloud APIs, the ABAP SDK for Google Cloud needs an IAM service account.

Create a service account

In the Google Cloud console, create an IAM service account. This service account must be a principal in the Google Cloud project that contains the Google Cloud APIs that you plan to consume using the SDK. If you create the service account in the same project that contains the Google Cloud APIs, then the service account is added as a principal to the project automatically.

If you create the service account in a project other than the project that contains the Google Cloud APIs, then you need to add the service account to that project in an additional step.

  1. In the Google Cloud console, create an IAM service account for authentication and authorization to access Google Cloud APIs.

    Go to Service accounts

    For information about how to create a service account, see Create a service account.

  2. In the Google Cloud console, grant the service account the required IAM roles to access the API functionality. To understand the role requirement for APIs, see the individual API documentation and follow the principle of least privilege. For example, to understand the role requirement for the Pub/Sub API, see Access control for Pub/Sub.

  3. If you created the service account in a different project than the project that contains the Google Cloud APIs that you plan to consume using the SDK, then note the name of the service account. You specify the name when you add the service account to that project. For more information, see Add the service account to the Google Cloud project.

Add the service account to the Google Cloud project

If you created the service account for ABAP SDK for Google Cloud in a project other than the project that contains the Google Cloud APIs that you plan to consume using the SDK, then you need to add the service account to the Google Cloud project that contains the Google Cloud APIs.

If you created the service account in the same project that contains the Google Cloud APIs, then you can skip this step.

To add an existing service account to the Google Cloud project that contains the Google Cloud APIs, perform the following steps:

  1. In the Google Cloud console, go to the IAM Permissions page:

    Go to IAM permissions

  2. Confirm that the name of the project that contains the target Google Cloud APIs is displayed near the top of the page. For example:

    Permissions for project "PROJECT_NAME"

    If it is not, then switch projects.

  3. On the IAM page, click Grant access. The Grant access to "PROJECT_NAME" dialog opens.

  4. In the Grant access to "PROJECT_NAME" dialog, perform the following steps:

    1. In the New principals field, specify the name of the service account.

    2. In the Select a role field, specify a relevant role. For example, for Pub/Sub, to modify topics and subscriptions, and access to publish and consume messages, you can specify the role Pub/Sub Editor (roles/pubsub.editor).

      For more details about API specific predefined roles, see IAM basic and predefined roles reference.

    3. Add additional roles as required for your API usage. Implement Google recommended best practices by applying the principle of least privilege.

    4. Click Save. The service account appears in the list of project principals on the IAM page.

The service account can now be used to access Google Cloud APIs in this project.

Set up HTTPS connection

The SAP application server is required to connect to Google Cloud APIs through HTTPS.

On the SAP host, confirm that firewall rules or proxies are configured to allow egress traffic from the HTTPS port to the required Google Cloud APIs.

Specifically, your SAP system must be able to access the following API endpoints:

  • https://iamcredentials.googleapis.com
  • API endpoints for the APIs that you want to consume using the SDK.

Create SAP configurations

For JWT based authentication, create the required SAP configurations.

Create new RFC destinations

For the APIs that you plan to consume using the ABAP SDK for Google Cloud, create new RFC destinations.

For information about creating RFC destinations, see RFC destinations.

Specify access settings in the client key table

To specify the access settings, perform the following steps:

  1. In the SAP GUI, enter transaction code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

  4. Click New Entries.

  5. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration.
    Google Cloud Service Account Name

    Specify the name of the service account, in email address format, that was created for ABAP SDK for Google Cloud in the step Create a service account. For example: sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.

    Google Cloud Scope Specify the access scope, https://www.googleapis.com/auth/cloud-platform.

    Project ID Specify the ID of the Google Cloud project that contains your target APIs.
    Command name Leave this field blank.
    Authorization Class Specify the authorization class, /GOOG/CL_AUTH_JWT.

    Authorization Field Leave this field blank.
    Token Refresh Seconds Leave this field blank.

  6. Save the new entry.

Specify RFC destinations in the service mapping table

Configure RFC destinations for IAM API and other APIs that you plan to consume using the ABAP SDK for Google Cloud.

To specify the RFC destinations, perform the following steps:

  1. In the SAP GUI, enter transaction code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

  4. Click New Entries.

  5. Enter values for the following fields:

    Name Service Name RFC Destination
    Client key name googleapis.com/oauth2 GOOG_OAUTH2_TOKEN
    Client key name iamcredentials.googleapis.com GOOG_IAMCREDENTIALS

  6. Save the new entry.

Authenticate to Google Workspace APIs using OAuth 2.0 client credentials

To authenticate to Google Workspace APIs using OAuth 2.0 client credentials, you need to complete the following configurations in your Google Cloud project and your SAP landscape:

Google Cloud console configurations

SAP landscape configurations

The ABAP SDK for Google Cloud is shipped with the following core components, which are required for the OAuth 2.0 client credentials based authentication:

  • OAuth 2.0 service provider type /GOOG/ABAP_SDK that you specify for your OAuth 2.0 client profile configuration.
  • Authentication class /GOOG/CL_OAUTH_GOOGLE that you specify for the client key configuration.
  • SAP Business Add-Ins (BAdIs) implementations that pre-populate Google specific OAuth parameters such as endpoints and required parameter settings.

However, you also need to complete the following configurations in your SAP landscape:

The OAuth consent screen is a prompt that tells users who's requesting access to their data and what kind of data users are allowing your app to access.

  1. In the Google Cloud console, go to Menu  > APIs & Services  > OAuth consent screen.

    Go to OAuth consent screen

  2. Select the External user type for your app, and click Create.

  3. To complete the app registration form, specify the following details:

    • App name: the name of the application that requires consent.
    • User support email: a support email for users to contact you with questions about their consent.
    • Authorized domains: the domains to be used during OAuth consent.
    • Developer contact information: the email addresses for Google to notify you about any changes to your project.

  4. Click Save and Continue.

Create OAuth 2.0 client ID credentials

To authenticate as an end user and access user data in your app, you need to create one or more OAuth 2.0 Client IDs. A client ID is used to identify a single app to Google's OAuth servers.

  1. In the Google Cloud console, go to Menu  > APIs & Services  > Credentials.

    Go to Credentials

  2. Click Create Credentials > OAuth client ID.

  3. In the Application type field, select Web application.

  4. In the Name field, type a name for the credentials. This name is shown only in the Google Cloud console.

  5. Under Authorized redirect URIs, click Add URI. Then, enter your SAP redirection URI to which the OAuth 2.0 server can send responses.

    You can get the SAP redirection URI from the OAuth 2.0 settings in your SICF transaction.

  6. Click Create.

  7. Make a note of the Client ID and the Client secret.

Create OAuth 2.0 client profile

As an ABAP developer, you create an OAuth client profile with the OAuth 2.0 scopes that are required for your business requirements. For information about the OAuth 2.0 scopes for the Google APIs, see OAuth 2.0 Scopes for Google APIs.

A sample OAuth client profile /GOOG/OAUTH_PROFILE_SAMPLE is shipped with the SDK, with the OAuth 2.0 scopes configured for Google Sheets API.

  1. In the SAP GUI, enter transaction code SE80.
  2. From the drop down list, select Development Object.
  3. To create a development object in the custom namespace, select Create  > Others  > OAuth 2.0 Client Profile in the context menu of the object name.

  4. Enter the following details:

    • In the Client Profile field, enter a name of the client profile.
    • In the Type field, select /GOOG/ABAP_SDK. This is the default provider type shipped with the ABAP SDK for Google Cloud.

  5. Add the necessary scopes to your client profile. For information about the OAuth 2.0 scopes, see OAuth 2.0 Scopes for Google APIs.

  6. Save the client profile to your development package. Include the client profile in a transport request, which can be transported to higher environments.

Configure OAuth 2.0 client

As an SAP administrator, you associate the OAuth client profile with the Google Cloud client credentials.

This is a onetime activity that you need to perform on every SAP system in your SAP landscape (Development, Testing, and Production).

  1. In the SAP GUI, enter transaction code OA2C_CONFIG. The SAP login page opens in your default browser.
  2. Log in with your SAP credentials.
  3. To create an OAuth 2.0 client, click Create.
  4. In the Create a new OAuth 2.0 client dialog box:
    1. Select the OAuth 2.0 client profile that you created earlier in Create OAuth 2.0 client profile in your SAP system.
    2. Enter a configuration name.
    3. Enter the OAuth 2.0 Client ID from Google Cloud credentials that you created earlier in Create OAuth 2.0 client ID credentials.
    4. Click OK.
  5. On the Administration tab, in the General Setting section, enter the client secret from the Google Cloud credentials that you created earlier in Create OAuth 2.0 client ID credentials.

  6. If you are using a proxy server to route the outbound HTTP/HTTPS traffic from your SAP system, then you need to maintain the following proxy host details in the Access Settings section:

    • Proxy host
    • Proxy port
    • Proxy user
    • Proxy password

  7. Click Save.

Configure client key

  1. In the SAP GUI, enter transaction code SPRO.
  2. Click SAP Reference IMG.
  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.
  4. Click New Entries.

  5. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration.
    Google Cloud Service Account Name Leave this field blank.
    Google Cloud Scope Leave this field blank.
    Google Cloud Project Identifier Specify the ID of the Google Cloud project that contains your target APIs.
    Command name Leave this field blank.
    Authorization Class Specify the authentication class, /GOOG/CL_OAUTH_GOOGLE.
    Token Caching Leave this field blank.
    Token Refresh Seconds Leave this field blank.
    Authorization Parameter 1 Specify the name of the OAuth client profile that you created earlier in Create OAuth 2.0 client profile in your SAP system.
    Authorization Parameter 2

    Specify the configuration name that you defined in the OAuth 2.0 client for a client ID.

    This field is mandatory if you have associated a single OAuth client profile with more than one client ID.

    For more information, see Multiple Google Cloud projects scenario.

  6. Save the new entry.

Request OAuth 2.0 access tokens

As an end user, you need to request an OAuth 2.0 access token to allow access to the API resources.

This is a onetime activity that each user needs to perform on every SAP system in your SAP landscape (Development, Testing, and Production). In case the OAuth scopes are modified, then users need to repeat this activity.

  1. In the SAP GUI, enter transaction code OA2C_GRANT. The SAP login page opens in your default browser.
  2. Log in with your SAP credentials.
  3. Select the client ID with which you want to access the APIs.
  4. Click Request OAuth 2.0 Tokens.

  5. In the Sign in with Google consent screen, enter your Google account credentials and click Allow.

    A green indicator in the Access Status column indicates access to the API resources is allowed as per the OAuth 2.0 client profile.

Multiple Google Cloud projects scenario

If you have enabled your Google Cloud APIs in more than one Google Cloud project, then follow this guidance for setting up authentication using OAuth 2.0 client credentials:

Authenticate using API key stored in SAP SSF

The high-level configuration steps are as follows:

Create an API key

For authentication using API key, you need to create an API key. An API key string is an encrypted string, for example, AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe. ABAP SDK for Google Cloud uses the API key string in HTTP request to securely authenticate when calling a Google Cloud API.

Google Cloud provides multiple ways to create API keys.

To create API keys using the Google Cloud console, perform the following steps:

  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click Create Credentials and select API key from the menu.

    • The API key created dialog displays the API key string. Copy your key string and keep it secure. You need this API key to configure authentication in SAP.

    • By default, API keys are unrestricted. We recommended that you restrict API keys by selecting the APIs to which this API key can be used. For more information about adding API restrictions, see Add API restrictions.

Store the API key in SSF

The ABAP SDK for Google Cloud provides an option to securely store API keys using the SAP Secure Store and Forward mechanism (SSF).

By using the SSF option, you can store the API Key in an encrypted format in the table /GOOG/APIKEY_BIN. When an API is called, the API key would be retrieved from the table /GOOG/APIKEY_BIN, decrypted, and appended to the API endpoint URI.

For security purposes, you cannot view the contents of /GOOG/APIKEY_BIN using standard tools, transactions such as SE16, SE16N, or SE11.

Prerequisites

For authentication using API key stored in SAP SSF, you must have version 8.5 and above of the SAP Cryptographic Library installed in your SAP system. For more information about SAP Cryptographic Library, see 1848999 - Central Note for CommonCryptoLib 8 (SAPCRYPTOLIB) and 397175 - SAP Cryptographic software - export control.

To verify the version of SAP Cryptographic Library, perform the following steps:

  1. In the SAP GUI, enter transaction code STRUST.
  2. Go to the Environment menu, and then click Display SSF Version.

Set up SSF application

In the table SSFAPPLIC, create a new SSF application ZG_APK that encrypts the API key. ZG_APK is the default SSF application name.

Alternatively, you can create an SSF application with your preferred name or use an existing SSF application that has a different name. If you want to use a different SSF application for encryption, then you need to configure the SSF application name in Authorization Parameter 1 of the client key table.

To create a new entry in the table SSFAPPLIC, perform the following steps:

  1. In the SAP GUI, enter transaction code SE16.
  2. In the Table Name field, enter SSFAPPLIC, and then create a new entry.
  3. In the APPLIC field, enter ZG_APK.

  4. Specify values in the following fields.

    Field Value
    APPLIC ZG_APK
    B_TOOLKIT Select the flag.
    B_FORMAT Select the flag.
    B_PAB Select the flag.
    B_PROFID Select the flag.
    B_PROFILE Select the flag.
    B_HASHALG Leave this field blank.
    B_ENCRALG Leave this field blank.
    B_INCCERTS Leave this field blank.
    B_DETACHED Leave this field blank.
    B_ASKPWD Leave this field blank.
    B_DISTRIB Select the flag.
    DESCRIPT API Key Encryption for GCP

  5. Save the new entry.

Create SSF parameters

  1. In the SAP GUI, enter transaction code SM30.

  2. Open the view VSSFARGS.

  3. For application ZG_APK (API Key Encryption for GCP), create a new entry. The application specific SSF parameters are automatically populated.

  4. Save the new entry.

Create a Personal Security Environment (PSE)

  1. In the SAP GUI, enter transaction code STRUST.

  2. Under node SSF API Key Encryption for GCP, right-click and select Create.

  3. In the Algorithm field, select RSA. Leave other fields with system-populated default values.

  4. Save the new entry.

Store the API key

  1. In the SAP GUI, enter transaction code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure API Key (Using SSF).

  4. In the Google Key Name, enter the name of the client key configuration.

  5. In the API Key field, enter the API key that you created earlier in Create an API key.

  6. Select Save.

  7. Click Execute to store the API key.

Configure client key

  1. In the SAP GUI, enter transaction code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

  4. Click New Entries.

  5. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration. For example, DEMO_API_KEY.
    Google Cloud Service Account Name Leave this field blank.
    Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
    Project ID Specify the ID of the Google Cloud project that contains your target APIs.
    Command name Leave this field blank.
    Authorization Class Specify the authorization class, /GOOG/CL_AUTH_API_KEY_SSF.
    Token Caching

    The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.

    We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
    Token Refresh Seconds Specify the amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
    Authorization Parameter 1 If the SSF application name is different from ZG_APK, then specify your SSF application name.
    Authorization Parameter 2 Leave this field blank.

  6. Save the new entry.

Create new RFC destinations

For the APIs that you plan to consume using the ABAP SDK for Google Cloud, create new RFC destinations.

For information about creating RFC destinations, see RFC destinations.

If RFC destinations are not created and configured, the ABAP SDK for Google Cloud functions using the default API endpoints maintained in individual API client stubs.

Configure service mapping

Configure the service mapping table for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

  1. In the SAP GUI, enter transaction code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

  4. Click New Entries.

  5. Specify RFC destinations for the APIs that you plan to use, for example, addressvalidation v1. If you're going to consume other APIs, then specify RFC destinations for those APIs.

    Google Cloud Key Name Google Cloud Service Name RFC Destination
    Client key name addressvalidation:v1 RFC_ADDRVALDN_V1

  6. Save the new entry.

Delete an API key

If an API key is no longer used, then you can delete the API key from your SAP system.

To delete an API key, perform the following steps:

  1. In the SAP GUI, enter transaction code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure API Key (Using SSF).

  4. In the Google Key Name field, enter the name of the client key configuration.

  5. Select Delete.

  6. Click Execute to delete the API key.

Authenticate using API key stored in Secret Manager

The high-level configuration steps are as follows:

Create an API key

For authentication using API key, you need to create an API key. An API key string is an encrypted string, for example, AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe. ABAP SDK for Google Cloud uses the API key string in HTTP request to securely authenticate when calling a Google Cloud API.

Google Cloud provides multiple ways to create API keys.

To create API keys using the Google Cloud console, perform the following steps:

  1. In the Google Cloud console, go to the Credentials page:

    Go to Credentials

  2. Click Create Credentials and select API key from the menu.

    • The API key created dialog displays the API key string. Copy your key string and keep it secure. You need this API key to configure authentication in SAP.

    • By default, API keys are unrestricted. We recommended that you restrict API keys by selecting the APIs to which this API key can be used. For more information about adding API restrictions, see Add API restrictions.

Create a secret and store the API key

The ABAP SDK for Google Cloud provides an option to securely store API keys using the Secret Manager service of Google Cloud. For securely storing API key strings, Secret Manager enables you to follow the best practices for securely using API keys.

To create a secret and store the API key, perform the following steps:

  1. Enable the Secret Manager API.

    Go to API library

  2. In Google Cloud console, create a secret, and store the API key as the latest version.

    Go to Secret manager

For information about how to create a secret, see Create a secret.

The ABAP SDK for Google Cloud by default retrieves only the latest version of a secret.

Configure client key for Secret Manager access

Secret Manager APIs use tokens for authentication. So you need to set up token based authentication to access Secret Manager APIs depending on your SAP deployment.

Use one of the following methods to set up token based authentication to access Secret Manager APIs:

Note down the client key name that you created for Secret Manager access.

Configure client key for the secret

  1. In the SAP GUI, enter transaction code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Client Key.

  4. Click New Entries.

  5. Enter values for the following fields:

    Field Description
    Google Cloud Key Name Specify a name of the client key configuration. For example, DEMO_API_KEY.
    Google Cloud Service Account Name Leave this field blank.
    Google Cloud Scope Specify the API access scope, https://www.googleapis.com/auth/cloud-platform.
    Project ID Specify the ID of the Google Cloud project that contains your target APIs.
    Command name Leave this field blank.
    Authorization Class Specify /GOOG/CL_AUTH_API_KEY_SM.
    Token Caching

    The flag that determines whether or not the access tokens retrieved from Google Cloud are cached.

    We recommend that you enable token caching after you are done configuring and testing your connection to Google Cloud. For more information about token caching, see Enable token caching.
    Token Refresh Seconds Specify the amount of time, in seconds, before an access token expires and must be refreshed. The default value is 3500.
    Authorization Parameter 1 Specify the name of the client key that you've created for Secret Manager access. For example, CLIENT_KEY_SM.
    Authorization Parameter 2 Specify the name of the secret, which has the API key stored. For example, TEST_SECRET.

  6. Save the new entry.

Create new RFC destinations

For the APIs that you plan to consume using the ABAP SDK for Google Cloud, create new RFC destinations.

For information about creating RFC destinations, see RFC destinations.

If RFC destinations are not created and configured, the ABAP SDK for Google Cloud functions using the default API endpoints maintained in individual API client stubs.

Configure service mapping

Configure the service mapping table for the APIs that you plan to consume using the ABAP SDK for Google Cloud.

  1. In the SAP GUI, enter transaction code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Basic Settings > Configure Service Mapping.

  4. Click New Entries.

  5. Specify RFC destinations for the APIs that you plan to use, for example, addressvalidation v1. If you're going to consume other APIs, then specify RFC destinations for those APIs.

    Name Service Name RFC Destination
    Client key name addressvalidation:v1 RFC_ADDRVALDN_V1

  6. Save the new entry.

Validate API key retrieval from Secret Manager

To validate API key retrieval from Secret Manager, perform the following steps:

  1. In the SAP GUI, enter transaction code SPRO.
  2. Click SAP Reference IMG.
  3. Click ABAP SDK for Google Cloud > Utilities > Validate API key retrieval (Using Secret Manager).
  4. Specify the client key name.
  5. Click Execute to check if the API key is retrieved successfully from Secret Manager.

Validate authentication configuration

To validate the authentication configuration, perform the following steps:

  1. In the SAP GUI, enter transaction code SPRO.

  2. Click SAP Reference IMG.

  3. Click ABAP SDK for Google Cloud > Utilities > Validate Authentication Configuration.

  4. Enter the client key name.

  5. Click Execute to check if the overall flow is configured successfully.

    A green check in the Result column indicates that all configurations steps are completed successfully.